CloudSec/AppSec SKILup Day on September 22, 2022, offered insightful sessions, yoga, networking, a sponsor hall and a DevOps-inspired mixology class!
If you missed the CloudSec/AppSec SKILup Day, we’ve got you covered with a round-up of the top themes from the sessions and conversations around this incredibly important topic.
Why CloudSec/AppSec is Important
As we move containerized applications and microservices into the cloud, we are faced with a different set of security challenges. While the Cloud can solve some of the security challenges common in monolithic architecture, this modern architecture has its own to remedy. This SKILup Day explored various aspects of CloudSec/AppSec.
We’ll review key discussion points from the day in this post.
To summarize, CloudSec/AppSec SKILup Day speakers explored:
- Has DevOps Evolved Beyond Shift-Left?
- Why Self-Hosted is the New On-Prem for Open Source and Data Ownership
- Transforming Information Security
- Embedding API Security by Design into DevOps Pipelines
- DevOps: The Return of Security
- Empowering Developers at the Intersection of AppSec and CloudSec
- Your Developer Autonomy Journey: Creating a Secure, Confident Environment for Infra
- Embedding Security Testing in Modern DevOps Pipelines
CloudSec/AppSec SKILup Day Highlights
Tim Johnson, Senior Product Marketing Manager at CloudBees, joined this SKILup Day with his session, “Has DevOps Evolved Beyond Shift-Left?” Johnson presented an interesting take that Shift-Left is a DevOps anti-pattern. He argued that their data indicates it places an unrealistic burden on developers, kills morale, provides only a point-in-time assessment and whoever must attest to security and compliance, will do so with incomplete and outdated data. He then explored how to review survey results on security compliance, why current approaches to Shift-Left need to evolve to reflect today’s new realities, and what Shift-Left, done right, looks like.
Ron Northcutt, Head of DevRel at Appsmith, presented why self-hosted is the new on-prem for Open Source and data ownership. Northcutt explained that while using the cloud instead of physical servers is easier and cheaper, modern regulations are creating the need to mimic the “old way.” Data sovereignty, network isolation and government policies are pushing businesses to self-host their software in dedicated VPCs. He explored how compliance and privacy laws impact software deployment, how self-hosting solves many Internal data integration security concerns and why OSS makes it easier to try, deploy and scale.
Kathleen Moriarty, Chief Technology Officer at the Center for Internet Security, shared subject matter expertise during the session, “Transforming Information Security.” Moriarty emphasized that in order to combat cyber threats for organizations of all sizes, there should be a transformation of how information security is delivered and managed. She did a deep dive on how to identify and design scalable, and sustainable, architectural patterns that facilitate security management in products that last. She also highlighted approaches that limit spending but maximize security posture.
Jeremy Snyder, Founder and CEO at FireTail, shared key insights during, “Embedding API Security by Design into DevOps Pipelines.” Snyder discussed why API security is important and the main threats to APIs. He explained why API security is an emerging attack vector and how DevOps practitioners should incorporate security into their application architectures.
Mustafa Toroman, DevOps Institute Ambassador and Solution Architect at Azure MVP, presented the session, “DevOps: The Return of Security.” He highlighted how security is often forgotten or neglected in DevOps journeys. He emphasized it doesn’t have to be a problem as long as we start implementing security in DevOps in time. Toroman indicated many features used in DevOps can be turned in our favor and used to increase security. He provided key DevOps security nuggets, real-world examples and insight into becoming a DevOps security expert.
Guy Eisenkot, Senior Director of Product Management at Prisma Cloud, provided real-world experience during the session, “Empowering Developers at the Intersection of AppSec and CloudSec.” He examined how this shift impacts the cloud-native security landscape and key considerations for adopting a consolidated approach to application and cloud security; from code to cloud and across cloud-native stacks. Eisenkot also explored the risks of siloing security efforts e.g. software composition analysis (SCA) and infrastructure as code (IaC) security and the role developers play in breaking silos and proactively eliminating risk across the development lifecycle.
Itamar Bareket, DevOps Engineer at Island, shared subject matter expertise during the session, “Your Developer Autonomy Journey: Creating a Secure, Confident Environment for Infra.” Bareket provided key insights into how to enable teams in your organization to move forward more quickly, how to broaden the autonomy in your teams when managing IaC and how to create a self-service mindset in your organizations. He proposed that by introducing Hermes – a terraform execution platform that uses policy-as-code to assess the risk of change – teams can maintain a good security posture, make infrastructural modifications without bottlenecks, and ultimately, decide who should review the change.
Najib Radzuan, DevOps Institute Ambassador and Founder of DevOps4Me, presented the session, “Embedding Security Testing in Modern DevOps Pipelines.” He highlighted that with increased delivery speed, software security can sometimes be compromised and post-production software vulnerabilities threaten data and systems. These security loopholes delay software delivery, affecting brand and customer loyalty which costs time and money. Radzuan shared how DevOps teams can embed security testing into their CI/CD pipeline to reduce production security issues without compromising the customer journey, time and cost efficacy. He also revealed the most important forms of security testing that companies should use.
Graphic Summaries
For a quick recap, check out the graphic summaries below.
What’s Next?
For more insightful events, webinars, and in-person opportunities, stay up to date with the DevOps Institute event calendar: www.devopsinstitute.com/events/
Subscribe to SKILup IT Learning to watch previous SKILup Day and SKILup Hour content, as well as earn DevOps Institute Continuing Education Units (CEUs) as part of our Continuing Education Program.
Learn more and subscribe: devopsinstitute.com/skilup-it-learning/
Become a Certified DevOps Engineer
DevOps Institute empowers DevOps humans to advance career development and upskill for enterprise transformation by providing the resources, guidance, experts, and encouragement to learn. We’ve put together a suggested DevOps Engineer Certification Path and offer essential core competencies and various certifications to help advance your DevOps career and grow professionally.
Get started at devopsinstitute.com/certifications